To make things more convenient and easy, Apple’s new iPhone X has removed the home screen button and has put up a face recognition technology to unlock the iPhone. The new biometric-Face ID uses a 3D scan of the face as a password to unlock the device. Some of the experts say, Apple might be exposing its users to a serious security risk.

“No matter how convenient, Face ID has a potent risk. Passwords are completely private and if needed can be protected with precautions. Your fingerprints, on the other hand, have a potential to be picked up from anywhere as you can’t just wear gloves everywhere. Now with FaceID, your sole authentication medium is always out in the open, up for grabs,” said Ankush Johar, director at BugsBounty.com, a crowd sourced security platform for ethical hackers and organisations.

Johar is of the view that if a user phone can use an infrared scan to trace every inch of their face then so can any other hardware. “It’s about time that someone finds a way to replay it back to your phone and it’s game over then,” he added.

Face ID requires the person to simply look at their phone and it automatically recognises the user’s face in a no time and unlocks itself. It also replaces Touch ID for Apple Pay. This means, even for transactions, all a user has to do is to look at iPhone X to authorise the transaction.

“With the iPhone X, your iPhone is locked until you look at it and it recognises you. Nothing has ever been more simple, natural, and effortless,” said Apple executive, Phil Schiller in the launch keynote address, adding that “this is the future of how we’ll unlock our smartphones and protect our sensitive information.”

Apple states that unlocking a phone via Face ID will be way more convenient than unlocking it with fingerprints, now that users won’t have to worry about wet hands etc. Apple is working too hard to make things convenient for its users.

Security concerns

However, the use of Face ID seems to be so effortless it raises a lot of security questions, said cybersecurity experts. In the past, there have been cases where a face recognition technology has been easily spoofed by using simple tricks. In 2009 security researchers demonstrated that they could spoof the face-based login system of laptops just by using a printed photo held in front of the camera. Not only that, in 2011, Android had a face unlock feature that required the person to blink in front of the camera before the phone would unlock itself. Researchers were successful in bypassing the security with a little photoshop effect.

“Fingerprint scanners can be defeated in multiple ways including using a plastic thumb or 2D printed fingerprints. Face Lock has also been broken easily by using just a high-res photo of a face. Face ID claims to use a 3D scan but with the advent of 3D printing, it is still possible to print a 3D model of your face to unlock your device without consent,” David Maciejak, director of security research, Fortinet told EC adding that “Android phones has embedded facial recognition long back and history shows it is not fool proof and can be bypassed easily.”

Agreeing with Maciejak, Pradipto Chakrabarty, regional director, Computing Technology Industry Association (CompTIA) said that in this era of hyper-accurate scanning, photo shopping and 3D printing and amazing graphic manipulation, it would not be very difficult for someone to create a way to manufacture and spoof a face. He asserted that Apple does a great job, generally, with their coding and they are apparently better than most other manufacturers. Despite best efforts by Apple there can be issues regarding flaws in the technology implementation itself.

“To make Face ID work, Apple iPhones uses a feature called Secure Enclave. But what if the system attracts something like the recent Equifax-like breach where a vulnerability in a web application software resulted in a huge number of consumer data being stolen? If such a thing happens with face ID, the bad actors will have more than just your password. They have the biometric information and thereby in effect have stolen you,” he said.

Although it is clear that hacking iPhone’s Face ID won’t be a child’s play. The new version of iPhone uses an infrared system to cast a grid of 30,000 invisible light dots onto the user’s face. The user is required to rotate his/her head while the camera captures the distortion of that grid to map the face’s 3D shape.

A senior officer from Ministry of Home Affairs who spoke on condition of anonymity, said in addition to security concern, there may be privacy issue, if phone 3D camera is always on. “I personally feel there is an element of privacy. What if, for some reason, someone from law enforcement wants to get into someone’s phone without their explicit permission? In many countries, a warrant or express permission is required. But with Face ID, a rogue law enforcement officer could simply hold the phone up to the face and get instant access,” said officer.

However, allaying the fear, one of the senior journalist, who attended the launch in Cupertino, California emphasised, “FaceID is not a new technology, it has been there. Apple has just made it more robust. If a person feels there is privacy or security issue, they may use other method of locking and unlocking of the phone. Face ID is not the only method of accessing iPhone X.” The journalist also said that iPhone X uses sensor to lit up the device which is already there in previous iPhone. “Camera is not always on.”

Agreeing with the views, Sean Sullivan, Security Advisor at F-Secure told EC, “Owning a smart phone with payment options is a potential risk, but, does the risk outweigh the benefits? Based on adoption of such technology, the answer from people at large appears to be “no.” They routinely say “yes” in favour of such tech.”

He added that the majority of fraud is still facilitated via physical mishandling of payment cards. “Technology moves risk, it doesn’t necessarily introduce it. In numerous ways, facial recognition is more secure than physically carrying around sensitive cards. Afraid of a thief taking your phone and pointing it at your face? That same thief could watch you enter your PIN and then steal your debit card. Or they could simply take your cash,” he said.

Apple’s reaction

Despite the security concerns, Apple is quite confident with their technology by saying that Face ID cannot be fooled by photographs, and they have tested the system against face masks which means that even a photo-realistic face mask won’t fool it. The company accept that Face ID does get confused by identical twins but it needs the user’s attention. It will require some kind of user’s interaction in order to successfully unlock the phone.

Apple’s Schiller said in a Keynote that even 3D printing the head won’t work in spoofing the FaceID. To further prove his point, he showed a photo of minutely detailed masks created by Hollywood special-effects consultants that he said Apple used to test the feature.

Agreeing with Apple, in a blogpost, cybersecurity firm Kaspersky Lab said, flat pictures just don’t have a 3-D map of infrared dots on them, which is needed to unlock new iPhone. “You don’t have to worry about someone stealing your face — the images captured by Face ID are kept in the encrypted memory of Apple’s special coprocessor called Secure Enclave. They are processed only on the device and are never sent to Apple’s servers or elsewhere. It doesn’t leave the Secure Enclave either, so no apps can gain access to your face scans,” wrote Alex Perekalin.

He further added that odds of someone unlocking Face ID with their face are 1 in a million compared with 1 in 50,000 for the Touch ID fingerprint reader, is quite impressive.

Which one is more secure – biometrics or passwords

There are pros and cons of both – biometrics or passwords methodologies. While using biometric like fingerprints or facial recognition is easy and convenient, but at the same time if someone is successful in replicating a person’s biometric data, unlike password they won’t be able to change it. The hacker will gain a life time access to their data unless of course, they use a different finger to unlock. A person can still not have two faces though. On the other side if a user has a weak password or he/she becomes a victim of social engineering that also will lead to a major security risk.

“In order to achieve a maximum level of security passwords and biometrics, both of them should be required to unlock a device. Even if one layer of security gets bypassed the user will still remain secure,” suggested Johar.

No silver bullets, follow the best practices

As famous American cryptographer Bruce Schneier said, ‘there are no silver bullets’ to cybersecurity. Schiller also noted during the announcement, there’s no such thing as an absolutely secure system. “Based on Face ID design, we can say that the new iPhone’s facial recognition should be more secure than that of traditional facial recognition done by a simple 2-D front-facing camera, and it might be more secure than the Touch ID fingerprint sensor. However, security researchers from all over the world will soon be trying to hack this system, so whether it is secure enough has yet to be determined,” said Perekalin, adding that fortunately, the traditional six-digit PIN code is still an option. Like any PIN, it is, of course, not ultimately secure, but at least it can’t leak biometric data to hackers.

“One of the basic best practices with a password is not to write it down or share it with someone or not to use the same password for all accounts. Similarly, we must implement best practices with biometric access too. For facial recognition, it’s a bit different, maybe doing a funny face would work? And maybe users can even make a different face for different “Face ID” enabled devices/apps,” said Maciejak of Fortinet.

He is of the view that bypassing biometric scanners may not be successful in one try, but it may be possible after a few tries. So, device manufacturers should design the devices in a way that after a few failed face recognition attempts, they revert to asking for traditional authentications like PIN or passcode as an added protection.

On the other hand, Chakrabarty said, “Technology development is imperative for us and therefore we should not err on the side of being excessive cautious. Apple phone and software are extremely secure and we should trust their development process which are usually breach proof.”

Agreeing with Chakrabarty, Sullivan of F-Secure said, “No technology is invulnerable. There will be flaws exposed and researchers will be able to defeat this new security control. But that will be in a specialised simulation, a set of “lab” experiments. Fears where raised regarding fingerprints being used to authenticate, flaws where demonstrated, and yet, the sky did not fall.”

“Apple Face ID needs to prove itself. But at this point, anybody who can actually afford to buy the iPhone X should well be capable of understanding the pros and cons,” he added.

Tweets by @ExpComputer

About

Express Computer is one of India's most respected IT media brands and has been in publication for 24 years running. We cover enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments. Additionally, we also report on the fast emerging realm of eGovernance in India.